In certain types of wireless networks, such as Global System for Mobile Communications (GSM) networks, service providers of such networks use subscriber identity module (SIM) in the form of removable smart card also known as Universal integrated Circuit Card (UICC) in mobile devices to identify and authenticate a subscriber/user. As is well-known, a SIM will typically include various types of information including subscriber identification/credentials, billing relationship, roaming support, and so forth.
Typically, the SIMs are provided directly to the end users by the service providers, and the information endowed in the SIMs are factory programmed. A SIM that is provided to an end user or subscriber will include a subscriber identity known as IMSI (International Mobile Subscriber Module) and a unique 128-bit private security key (known as Ki), programmed into the SIM when the SIM is manufactured. IMSI is used to identify the subscriber to the service provider during initial call establishment. A copy of the pre-programmed Ki is also typically stored at a Home Location Register (HLR) in the service provider network. The Ki is used to calculate the response to the challenges made in the authentication phase, and is also used to create the 64-bit encryption key (Kc) for encryption of user traffic during a call/session.
As briefly described above, a unique Ki is programmed into a SIM card before the SIM card is distributed to a user/subscriber. Since a matching Ki also needs to be programmed in the operator's HLR, the SIM card distributed to the subscriber is operator specific. This creates a challenge in retail distribution model of mobile devices since the purchasers of such devices needs to also have an operator specific SIM in the device before being able to connect to the corresponding network. Ideally, the retail distribution model should allow a device be sold to the end user without any embedded service provider specific image (i.e., service provider programs or data). Further, once a user decides to subscribe to a particular service provider, the device should be able to be provisioned over-the-air with the operator specific image and user credentials.